US agency baffled by modern technology, destroys mice to get rid of viruses

The Economic Development Administration (EDA) is an agency in the Department of Commerce that promotes economic development in regions of the US suffering slow growth, low employment, and other economic problems. In December 2011, the Department of Homeland Security notified both the EDA and the National Oceanic and Atmospheric Administration (NOAA) that there was a possible malware infection within the two agencies' systems.

The NOAA isolated and cleaned up the problem within a few weeks.

The EDA, however, responded by cutting its systems off from the rest of the world—disabling its enterprise e-mail system and leaving its regional offices no way of accessing centrally held databases.

It then recruited an outside security contractor to look for malware and provide assurances that not only were EDA's systems clean, but also that they were impregnable against malware. The contractor, after some initial false positives, declared the systems largely clean but was unable to provide this guarantee. Malware was found on six systems, but it was easily repaired by reimaging the affected machines.

EDA's CIO, fearing that the agency was under attack from a nation-state, insisted instead on a policy of physical destruction. The EDA destroyed not only (uninfected) desktop computers but also printers, cameras, keyboards, and even mice. The destruction only stopped—sparing $3 million of equipment—because the agency had run out of money to pay for destroying the hardware.

The total cost to the taxpayer of this incident was $2.7 million: $823,000 went to the security contractor for its investigation and advice, $1,061,000 for the acquisition of temporary infrastructure (requisitioned from the Census Bureau), $4,300 to destroy $170,500 in IT equipment, and $688,000 paid to contractors to assist in development of a long-term response. Full recovery took close to a year.

The full grim story was detailed in the Department of Commerce audit released last month, subsequently reported by Federal News Radio.

The EDA's overreaction is, well, a little alarming. Although not entirely to blame—the Department of Commerce's initial communication with EDA grossly overstated the severity of the problem (though corrected its error the following day)—the EDA systematically reacted in the worst possible way. The agency demonstrated serious technical misunderstandings—it shut down its e-mail servers because some of the e-mails on the servers contained malware, even though this posed no risk to the servers themselves—and a general sense of alarmism.

The malware that was found was common stuff. There were no signs of persistent, novel infections, nor any indications that the perpetrators were nation-states rather than common, untargeted criminal attacks. The audit does, however, note that the EDA's IT infrastructure was so badly managed and insecure that no attacker would need sophisticated attacks to compromise the agency's systems.

EDA's CIO, the idiot at the center of this maelstrom of idiocy, will likely not be punished for gross incompetence.

That's our government in action.

Heh, if you think this sort of thing is limited to Government, you've not been involved in any big private industry projects or dealt with "rose to the level of their incompetence" corporate management.

Heck, the #1 reason that a big company brings in outside consultants is that the internal politics are so bad that it's impossible to get anything done. An outside consultant comes in, knocks heads, pisses people off, gets things done for two or five times over the budget, and then leaves. Meanwhile internal IT escapes largely blame free.

Office politics,hiring the brother in law, hiring your buddy for a kickback, Sheer friggin mind boggling stupidity. it's all something you see from the smallest organization to the largest. Government, Private, Non-profit, military, whatever. None are immune, some just have more or less than others.

Man, he did it all wrong.The right course of action would certainly be: 1. Wipe out the databases (the central ones, who knows what's already lurking there) 2. Smash the backups (if you're going to do it, better do it thoroughly) 3. For good measure, pass some industrial magnets over all the hard drives.

What's really sad is that this kind of "witch burning" approach is pretty consistent across the entire government, from ohmygodcancer cell phone warnings to banning GMO food to the NSA spying and SOPA/PIPA stuff.

Unaccountable people of very limited intelligence and motivation willing to do anything to prevent being accused of being "soft" on terrorism/crime/cybersecurity---because that's the only way they can lose their jobs. In other words, when costs (whether in terms of dollars or privacy) aren't taken into account by our government, then this behavior is exactly what we should expect.

And sadly, the incompetent management that wasted $2.7 million dollars will most likely not be fired.

Correction. Incompetent management can't be fired. These are civil service jobs. Civil servants are never fired; they can only be transferred to other positions in the same classification or re-assigned to different jobs.

Negative. This guy's career is over.

He'll get rated unsatisfactory for the entire year by his supervisor (there's basically no way they can not rate him that now), which gets him put back on probation. If he can't find a job at his grade he's competent he'll flunk his probationary period and be terminated.

This seems insane to some people and a lot of supervisors can't be bothered to document incompetence to get people put on probation, but I've gotten about three dozen people fired so far by taking the hour or two a week to document gross incompetence or lack of motivation to meet rating criteria. You can ding them extra hard for lying if their self evaluations at year end don't match your observations. If you're truly interested in getting someone fired, you have to be willing to deny their request for lateral transfer and then do the second year of documentation.

The first time you do so your office will wonder what prompted your vendetta against Bill the Fuckup. The second time you do it they're confused about what Billy the Screwup did to personally offend you. The third time they get the picture: their office has become a zero tolerance for non-performance zone. This usually prompts a wave of lateral transfers out and then you're done.

Of course, while you're doing this people are filing a non-stop stream of IG/ombudsman/EEO complaints against you, so you have to have your own shit straight.

That, in a nutshell, is why it is so hard for a GS worker to be fired. It takes an individual of surpassing intestinal fortitude and determination (and competence) to get them fired.

SES employees (like this guy, I'd guess) on the other hand can just be fired for incompetence without any drawn-out process. They're not unionized, you see.